A CONSISTENT AND COMPLETE DEDUCTIVE 
SYSTEM FOR THE VERIFICATION OF 
PARALLEL PROGRAMS+ 

Susan Owicki 
TR 76-278 
May 1976 



Department of Computer Science 
Cornell University 
Ithaca, New York 14853 



+ This research partially supported by National Science Foundation 
grant GJ-42512. 



A CONSISTENT AND COMPLETE DEDUCTIVE SYSTEM FOR THE VERIFICATION OF 

PARALLEL PROGRAMS* 

Susan Owicki 
Cornell University 



ABSTRACT : 

The semantics of a simple parallel 
programming language is presented in two 
ways: deductively, by a set of Hoare-like 
axioms and inference rules, and operation- 
ally, by means of an interpreter. It is 
shown that the deductive system is con- 
sistent with the interpreter. It would be 
desireable to show that the deductive sys- 
tem is also complete with respect to the 
interpreter, but this is impossible since 
the programming language contains the 
natural numbers. Instead it is proved 
that the deductive system is complete 
relative to a complete proof system for 
the natural numbers; this result is similar 
to Cook's relative completeness for se- 
quential programs. 

The deductive semantics given here is 
an extension of an incomplete deductive 
system proposed by Hoare . The key differ- 
ence is an additional inference rule which 
provides for the introduction of auxiliary 
variables in a program to be verified. 

1. INTRODUCTION 

The presence of parallelism in a pro- 
gramming language greatly complicates the 
problem of program verification, due to 
the essential non-determinism introduced 
by concurrency. A number of techniques 
for verifying parallel programs have been 
suggested, see [1], [2], [3], [4], 
[10], [12], [13], [14], [15], [17], [20]. 
The technique presented here is a de- 
ductive system for proving the partial 
correctness of parallel programs; it is 
an extension of Hoare' s work [10]. The 
utility of the proposed deductive system 
has been demonstrated elsewhere (see [8], 
[l8l, [19]): it provides an easy-to-use 
technique for proving partial correctness; 
it gives the programmer guidance in creat- 
ing well-structured and easily-verified 
programs; and it can be the starting point 
in the proof of a number of additional 
prop erties of parallel programs (e.g. 

+ This research was partially supported by 
National Science Foundation grant 
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termination, freedom from deadlock, mutual 
exclusion) . In this paper the deductive 
system is evaluated from a more mathe- / 
matical perspective and is shown to be / 
consistent and in some sense complete with 
respect to an interpretive model of program 
execution . 

The consistency and completeness of 
Hoare 's deductive system for sequential 
programs has been discussed by Cook [5], 
who introduced the important concept of 
completeness relative to a proof system 
for the data types of the programming lan- 
guage. The approach taken here is quite 
similar to Cook's: first the programming 
language is presented and its semantics 
given both by a deductive system and by an 
interpreter. It is then possible to show 
that the deductive semantics is consistent 
and relatively complete with respect to 
the interpreter, although these results 
cannot be proved as directly as they can 
be for sequential programs. In particular, 
in order to obtain completeness, an infer- 
ence rule is needed which allows the addi- 
tion of variables and assignment statements 
to the program to be verified. 

2. THE PROGRAMMING LANGUAGE 

The programming language used is derived 
from Algol 60. It contains the usual 
assignment, conditional, while , compound 
and null statements, plus two statements 
intended for parallel programming. Var- 
iables and expressions range over the 
natural numbers with the usual operations. 
Procedures and variable declarations are 
not included, since they introduce compli- 
cations which are irrelevant to the prob- 
lems of parallelism. 

Parallel execution is initiated by a 
statement of the form 

resource r^ (variable list) , . . . , 

r (variable list) : 
m 

parbegin S^ // ... // S^ parend 

Here a resource r^ is a set of logically 
connected shared variables, and S^...S n 
are statements to be executed in parallel 
(i.e. parallel processes). No assumption 
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is made about the way parallel execution 
is implemented, or about the relative 
speeds of the parallel processes. 

The second statement, called a critical 
section, provides for synchronization and 
protection of shared variables. A state- 
ment of the form: 

with r when B do S 

has the following interpretation: r is a 
resource, B is a Boolean expression, and 
S is a statement which uses the variables 
of r. When a process attempts to execute 
such a statement, it is delayed until the 
condition B is true and r is not being 
used by another process. When the pro- 
cess has control of r and B is true, S is 
executed. Upon termination r is free for 
further use by other processes. 

Much of the complexity of parallel 
programs stems from the way processes can 
interfere with each other as they use 
shared variables. The following syntax 
restrictions ensure that all variables 
which could cause conflict are accessible 
to only one process at a time. 

1. If variable x belongs to resource r, 
it cannot appear in a parallel pro- 
cess except in a critical section for 
r . 

2. If variable x is changed in process 
S^, it cannot appear in Sj (i^j) 
unless it belongs to a resource. 



3. DEDUCTIVE SEMANTICS — THE AXIOMS AND 
INFERENCE RULES 

In the deductive semantics, the mean- 
ing of a programming language statement 
S is given by the formula {P}S{Q}. Here 
P and Q are assertions, i.e. formulas of 
the first-order predicate calculus (the 
assertion language used in this paper 
includes the natural numbers with the 
usual operations). Informally, the 
partial correctness formula {P}S{Q} 
means that if P is true before S is 
executed, either S will fail to halt or 
Q will hold after S finishes execution. 

Figure 1 gives the axioms and infer- 
ence rules for the parallel language of 
Section 1. A0-A5 are Hoare ' s sequential 
rules [ 9 ] . The proof system D in AO can 
be any sound proof system for the natural 
numbers — this is discussed further in 
Section 6. A6-A7 are stronger versions 
of the rules proposed by Hoare in [10]. 
Note that an invariant relation I(rj) is 
required for each resource r j ; I(rj] de- 
scribes the "reasonable" states of the 
resource. I(r-j) must be true when par- 
allel execution begins (A7) and is pre- 
served by each critical section (A6) ; 
thus in A7 it is assumed to hold when 
parallel execution ends. 



AO consequence 
{P-}S{Q'}, Ph D P', Q'h D Q 

{P} S {Q} 

Al assignment 
{P*} x:=E {P} 

A2 null 
{P} ; {P} 

A3 composition 

{ p i} s i{ p 2 }, {p 2 }s 2 {p 3 } {ys n {P n+1 } 

{P^ begin S 1 ;...;S n end {P n+1 > 

A^ alternation 
{P A B} Sj^ {Q} , {P A -,B} s 2 {Q} 

{P} if B then S^^ else S 2 {Q} 

A5 iteration 

{P A B} S {P} 
{P} while B do S {P A -iB] 

A6 critical section 
{P A B A I (r) } S {Q A I (r) } 
{P} with r when B do S {Q} 

A7 parallel 
{P i > S.^ {Q^} 1 < i < n 

{P. A ... A P A Kr,) A ... A l(r )} 
J- n i m 

resource r, (),... ,r () : 
1 m 

parbegin S^ // ... // S^ parend 

{Q. A ... A Q A I(r.) A ... A I(r )} 
1 n 1 m 

provided the proof of {P} S {Q} uses 
variables safely (see text) 

A8 auxiliary variables 

Let AV be a set of variables such that x 
eAV => x appears in S' only in assignments 
y:=E, where y eAV. Then if P and Q are 
assertions which do not contain free any 
variables from AV, and if S is obtained 
from S' by deleting all assignments to 
variables in AV 

{P} S' {Q} 

{P} S {Q} 



Figure 1. Axioms and Inference Rules 

for the Parallel Programming 
Language 



Rule A7 requires that the proof of 
{ P-L } { } use variables safely. This is 
a syntactic restriction which ensures that 
in each line {P'lS'CQ') in the proof of 
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with processes 



{P£}S^{Qi} , P* and Q 1 contain only those 
variables which process S. has a right to 
access at S ' . 1 

Definition : Let S be the statement 

resource r, (), ... , r (): 
1 m 

parbegin // ... // S n parend 

and let S ' be a statement in process S.. 
Then " 1 

Proof-var (r . ,S) 
— j- — 

= {x: x is not assigned a value in S 

except in a critical section for 

Proof-var (S ' ,S) 

= {x: x is not assigned a value in any 
process S j with i^j , or 
x e Proof-var (r-j ,S) and S' is 
inside a critical section for r.} 

: 

(We will use Proof-var (r . ) and 
Proof-var (S 1 ) when S is-' obvious from 
context) . 

Definition : Let S be a parbegin statement 
' . S n and resources 

Then x a proof of {P.}S.{Q.} 
uses variables safely iff 1 1 1 

1. all free variables in I (r-j) belong to 
Proof-var (r_. ,S) , 1 <_ j <_ m 

2. if S' is a statement in S . , and 
{P}S'{Q} is a line in the proof, then 
all free variables in P and Q belong 
to Proof-var (S ' ,S) , 1 <_ i < n 

Note that the variables in Proof-var (S 1 ,S) 
are exactly those which cannot be changed 
by another process when S' is being 
executed . 

Finally, A8 is a new inference rule 
which provides for the introduction of 
auxiliary variables in a program to be 
verified. After verifying the partial 
correctness of the expanded program, A8 
can be used to derive the partial correct- 
ness of the original. Many authors have 
noted the usefulness of auxiliary var- 
iables (see for example [3], [15]) but 
have not provided a formal mechanism for 
incorporating them in program proofs. 

In this paper it will be assumed that 
program proofs contain no extraneous 
derivations, i.e. every line in the proof, 
except the last, is used in a subsequent 
line . 

An example of parallel program veri- 
fication based on the deductive semantics 
is presented very informally in Figure 2. 
Here the assertions from a formal proof 
are set off by braces { } and interspersed 
with the program text. 



{x=0} 

addl: begin y:=0; z:=0; 



;gin y :=0 ; z : =0 ; 
(y=0 A z=0 A I (r) } 
resource r(x,y,z) : parbegin 

with r when true do 
Ty=0 a i(r) } 
begin x:=x+l; y:=l end 
{y=l A I(r) } 
{y=D 



// 



{z=0} 

with r when true do 



{z=0 A I(r) } 
begin x:=x+l; z:=l end 
(z=l A I(r) } 
{z=D 
arend 



pare 



A z=l A I (r) } 



I(r) = {x=y+z} 

Figure 2. Assertions from a proof of 
{x=0} addl {x=2} 



4. THE INTERPRETER 

The semantics of the parallel language 
of Section 2 can also be presented by 
giving an interpreter for programs in the 
language. In this section we define such 
an interpreter in terms of the computations 
it may exhibit in executing a program. In- 
formally, the interpreter executes se- 
quential statements in the usual way. It 
implements parallelism by selecting (non- 
deterministically) one of the parallel 
processes and advancing that process 
according to the usual rules for sequential 
program execution. Thus the interpreter 
uses non-determinism to simulate paralle- 
lism, but it is defined in such a way that 
the results are equivalent to those which 
would be obtained using true parallelism. 

Definition : A program state for the 
interpreter executing a program S is an 
ordered pair (c,v) . The control state c 
is a set of statements from S ; these are 
the statements which are next to be 
executed in each process. For conveniente 
we will assume that each statement in S 
has a distinct label, and will use the 
statement and its label interchangeably 
in c. The variable state v is a mapping 
from variables of S to values. If E is 
an expression on the program variables of 

5, E(v) denotes the result of evaluating 
E in state v. 



Definition : 



The state transition function 



6 for program S maps statements X program 
states to program states. 
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6(T,(c,v)) represents the effect of 

initiating T in state (c,v) . 

6(T,(c,v)) = undefined if T f c, or if T 
is the statement with r when 
B do T-^ and either B(v) = 
false or c already contains a 
a statement which belongs to 
a critical section for r 
= (c',v') otherwise. 

where v 1 (x) = E(v) if T is the statement 
x:=E 

= v(x) otherwise 

c' = (c ^ {T}) U successor (T,(c,v)), 
where successor (T,(c,v)) is the set of 
statements to be initiated after T. For 
example / 

a) if T is if B then T^ else T 2 , 
successor (T,(c,v)) = if_ B(v) then 
{T.^ else {T 2 > 

b) if T is resource r^,...,r : 
parbegin T^ // ... // T^ parend ; 
successor (T,(c,v)) = {1, , . . . ,T } 



c) if T is the last statement in S, or 
the last statement in a set of par- 
allel processes which still have 
statements in c ^ {T} , successor 
(S,(c,v)) = 

Definition : A partial computation of 
the interpreter for program S is a se- 
quence of program states, C = (Cq,Vq), 

. . . , (c ,v ), such that c. = {S}, and 
n n u 

(c^,v^) = 6 (S^ , (c^_^ , v i_i) ) for some 

S. Sc. 1 < i < n. A computation 
l l-l — — 

is a partial computation which terminates 

i.e. c^ = Note that C is completely 

determined by Cg and the sequence of 

statements S,,S,.,...,S . 

1 z n 

This completes the definition of the 
interpreter. Some related concepts 
which will be useful in Section 5 and 
6 are defined in terms of the interpreter. 

Definition : Let T be a statement in 

programs, and C = (Cj/Vj) ,...,(c ,v ) 

be a partial computation for S. Then T 

is current in (c^v^ if T e {c^} , and T 

is current after C if it is current in 

(c ,v ) . Also C finishes T if C has 
n n 

executed the last statement of T and has 
not initiated another statement from the 
same process as T. 



Definition : The formula {P}S{Q} is true 
for the interpreter iff any computation 
C = (c 0 ,v 0 ),..., (c n ,v n ) for which P(v<>) = 
true has Q(v n ) = true, i.e., any computa- 
tion which starts S with P true must end 
with Q true. 

5. CONSISTENCY 

This section demonstrates that the 
axiomatic semantics of Section 3 is con- 
sistent with the interpreter of Section 4. 
Similar consistency results for sequential 
programs have been proved by Hoare and 
Lauer [11], Cook [5], Gorelick [7], and 
Donahue [6]. In these papers the con- 
sistency results were obtained by showing 
that the axioms (Al , A2) and inference 
rules (AO, A3-A5) are sound with respect 
to some sequential interpreter. 

In the parallel case this approach fails 
for both A6 and A7 . For A7 , problems arise 
because the computations for a parbegin 
statement cannot be obtained simply by 
combining the independent computations of 
its components; this makes it difficult 
to prove the soundness of A7 directly. 
(In contrast consider A3. Here a direct 
proof is easy because a computation for 
begin S^;...;S n end is the concatenation of 
computations for S]_,...,S n .) Rule A6 is 
valid only within the context of a parbegin 
statement; fortunately this is the only 
place where critical sections can be used. 
If A6 is to be sound, any computation which 
starts the statement with r when B do S 
with P true must start statement S with 
PABAI (r) true. This can only be established 
within a parbegin statement, whose proof 
includes the requirement that I (r) holds 
when parallel execution begins and is 
preserved by each critical section. Be- 
cause of these difficulties, the proof of 
the consistency theorem demonstrates the 
soundness of a complete program proof 
rather than the soundness of each proof 
rule . 

Definition : Let S 1 be a statement in a 
program S. The pre-conditions (post- 
conditions) of S 1 in a proof of {P}S{Q} 
are the assertions which appear before 
(after) S' in formulas in the proof. 

Lemma 5.1 : Suppose S 1 appears k times in 
the proof of {P}S{Q} , in- the formulas 
{P 1 )S' {Q 1 J,. . . , {P k >S ' {Q k > (in that order). 

Then {P^}S'{Q^) is derived using one of 

the rules A1-A8, and {P^S'CQ^} 1 < i < k, 

is derived using AO and {P i _ 1 )S' {Q i _ 1 >. 

Thus P k |-P k _ 1 1 and H2 2 I"' • • 1%' The 

formula ^k^'^Q^^ i s either the last line 

of the proof (if S = S') or is used in de- 
riving a formula {P'}T{Q'}, where T is 
either the statement immediately containing 
S' in S or a reduction of S' according to A8. 

Proof : Follows from the requirement that 
the proof of {P}S{n} contains no extraneous 
derivations . 
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Theorem 5.1 : (Consistency of A0-A7) If 
{P}S{Q} can be proved using A0-A7, then 
{P}S{Q} is true for the interpreter. 

Proof : We start with a proof of {P}S{Q} 
and show that the pre and post conditions 
from that proof must hold at the appro- 
priate times during the execution of S. 
More formally, let C = (en ,vn) , . . . , (c n/ v n ) 
be a partial computation for S with 
P(vn) = true. Then C must satisfy the 
following conditions. 

1. Let T be a statement in S, P' a 

pre-condition, and Q' a post-condi- 
tion of T in the proof of {P}S{Q}. 
Then 

a) if T is current after C, 

P' (v ) = true, 
n 



b) if C finishes T, Q 1 (v n ) 



true . 



2. Let r be a resource in S with invar- 
iant I(r). Then if C is executing 
the parbegin statement where r is 
declared, but is not in the midst 
of a critical section for r, then 

I (r) (v ) = true . 
n 

Note that lb implies that any computa- 
tion for S which starts with P true must 
finish with Q true, since Q is a post- 
condition of S in the proof of {P}S{Q}. 
Thus a proof of 1 and 2 establishes that 
{P}S{Q} is true for the interpreter. 
The proof of 1 and 2 uses induction on 
the length of C. 

Base step : la. C = ({S},v Q ). By 
assumption, P(v n ) = true. 

If P' is any other pre-condition of 
S, P \- P' (Lemma 5.1) . 
Thus P' (vn) = true, 
lb and 2 do not apply. 

Induction step : Let C = (cn,vn),..., 
(c n _i , v n _i) . By induction, 1 and 2 are 
satisfied for C; we must show they are 
satisfied for C. Let S n be the state- 
ment in c n _i such that (c n ,v n ) = 



6 (S , (C 
n' n- 

Proof of 1: 



l'V 



,)) 



Consider cases of S and T. 

n 



Case 1 : S n and T are in different pro- 
cesses. Now v n agrees with v n _i on all 
variables in Proof-var (T) , since S n can 
not change any of those variables. 

a) If T is current after C, it was 
current after C, and P'(v n _i) = true, 
by induction. So P'(v n ) = true. 

b) If C finishes T then C finishes T, 
and by similar reasoning Q' (v n ) = true. 

Case 2 : S n and T are from the same pro- 
cess. A complete verification of condi- 
tion 1 requires a detailed analyses of all 
cases of S and T. Such an analysis is 



given in [19] ; here we present some 
representative examples. 

Example 1 : S n is an assignment statement 
which appears in S in the context 

L, : while B do x:=E; 



After C, i.e. 



after the execution of S n , 

Thus 



S n is finished and L^ is current, 
we must show that the post-conditions of 
S n and the pre-conditions of L^ hold in 
v n - 

First, note that the first line in the 
proof of {P}S{Q} which refers to S n must 

have the form {R*)S {R} (Lemma 5.1). 
hj n 

Now S is current after C, so by in- 
n 

duction R*(v ,) = true. Then R(v ) = true 
hj n— J. n 

since v is obtained from v n by assigning 
n n-1 3 

the value of E to x. If R' is any other 
post-condition of Sn, R (- R' (Lemma 5.1), 
so that R 1 (v n ) = true. Now the last line 
of the proof which refers to S n is used 
to derive {P'}L 1 : while B do S n {P' A^} 
using A5 (Lemma 5.1), so it must have the 
form {P' A B}S {P 1 }. Since P 1 is a post- 
condition of S n , P' (v n ) = true. But P 1 
is also the first pre-condition of Li , so 
by Lemma 5.1 P' \- P", where P" is any pre- 
condition of Li ; thus P" (v n ) = true. 

E xample 2 : S n is with r when B do T; 

T is current after C, and no statements 
are finished. The last line of the proof 
which refers to T is 

{P 1 A B A I (r) } T {Q' A I (r) } 



and the 
{P'}S n {Q 

P' (v n -l) 
v n _i. S 
B(v n -i) 
on r is 
p ' ABA 
2 of the 
for v n , 
5.1, all 



first which refers to S n is 
1 } (Lemma 5.1). By induction 

= true, since S n is current in 
ince S n can execute after C, 
is true, and no critical section 
in execution for C. But then 

I(r) holds for v n _^, using part 

induction hypothesis, and also 
since v n _i = v n . Applying Lemma 

pre-conditions of T hold in v n . 



E xample 3 : 



is a parbegin .statement 



after C, and it is easily checked that 
their pre-conditions hold for v n . 

Example 4 : C finishes a parbegin state- 
ment T. Then S n finishes the last process 
of T (all the others were finished by C). 
By previous arguments, the post-condition 
of each process holds for v n ; also each 
resource invariant holds because no 
critical sections can be in execution when 
the processes finish. Thus the post con- 
ditions of the parbegin statement T hold 

in v . 

n 

Proof of 2 : Suppose no critical section 
for resource r is in execution in C . If 
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no critical section for r was in 
execution in C 1 , I(rj) (v n _i) = true 
by induction. Since v n must agree with 
v n _i on all variables in Proof-var ( r) , 
I(r)(v n ) = true also. 

If some critical section with r when B 
do S, was in execution in C ' , but not in 
C, then C finishes Si. Now Si must have 
a post-condition with the form Q' A I(r) 
(Lemma 5.1), so by lb I (r) (v n ) = true. 

Theorem 5 . 2 (Consistency of A8) : If 
{P}S{Q} can be derived from {P}S*{Q} 
using A8 , and {P)s'{Q} is true for the 
interpreter, then {P}S{Q} is true for the 
interpreter . 

Proof : Deleting the assignments to 
auxiliary variables does not effect the 
flow of control or the values assigned 
to other program variables. Thus S 1 
has the same effect as S on the variables 
which appear in P and Q. 

T heorem 5.3 (Consistency of A0-A8) : If 
(P}S{Q} can be proved, it is true for the 
interpreter . 

Proof : If the proof of {P}S{Q} uses A8 , 
it can be rewritten so that all the steps 
using A8 appear at the end. 

Let {P}S'{Q} be the last step which 
does not use A8 . Then {P}S'{Q} is true 
for the interpreter by the consistency 
of A0-A7, and {P}S{Q} is true by the 
consistency of A8 . 



6 . COMPLETENESS 

The deductive system for parallel 
programs as proposed by Hoare (A0-A5, 
with weaker versions of A6 and A7) was 
not complete. For example, even A0-A7 
are not powerful enough to prove the 
true formula {x=0} add2 {x=2}, where 
program add2 is shown. 



add2 : resource r(x) : parbegin 

Al: with r when true do x:=x+l 
// 

A2 : with r when true do x:=x+l 
parend 



Figure 3. The program add2 



Note that, for this program, 
Proof-var (Al) = Proof-var (A2) = <j> . 
so that the only post-condition possible 
for Al and A2 is P 1 = {true}. Then the 
strongest post-condition for add2 is 
P 1 A P ' A l(r) = I(r) (Lemma 5.1), and 
-,(I(r) => x=2) , since I(r) must hold 
initially, when x=0. Even without the 



restrictions on proof-variables, the 
strongest valid candidate for post-condi- 
tion of Al and A2 is P" = { l<x<2 } , and 
the strongest valid invariant is 
I(r) = {0<x<2}. But n (P" A I(r) => x=2) , 
so {x=2} still cannot be a post-condition 
of add2. 

Section 6 is devoted to proving that 
A0-A8 are relatively complete in Cook's 
sense [5] . This implies that any true 
formula {P}S{Q} can be proved given 
sufficient knowledge about the data types 
of S, and strongly suggests that A0-A8 
capture all the information about program 
execution which is relevant for partial 
correctness. As a first step, we consider 
the case when the data types of S are the 
natural numbers with operations <, =, +, 
*, and | j (concatenation, to be defined 
shortly) . The completeness result is then 
generalized to programs with any enumerable 
data domain and recursive operations. 

The concatenation operation | | which was 
mentioned above is used to represent finite 
sequences of natural numbers by a single 
number; it is included in the programming 
language operations because it will be 
needed with auxiliary variables. 

There are many ways of encoding a se- 
quence in an integer; here we choose to 
represent the empty sequence by 0 and the 
sequence ai,a2,...,ak (or ai | | a 2 | | X . \ | a k ) 
by the number 

1111 ... 1 0 11 ... 1 0 ... 0 1 1 

a.+l l's a-+l l's a. +1 l's 

12k 

Thus 0| |2| |1 = 10111011. 

Theorem 6.1 : (Relative completeness of 
A0-A8 for programs over the natural num- 
bers) : Let T be a program whose data 
domain is the natural numbers with <, =, 
+, *, and ||. If {P}T{Q} is true for the 
interpreter, then {p}T{Q} can be proved 
using A0-A8 and a complete proof system D 
for the natural numbers (clearly D is non- 
effective) . 

Proof : The theorem is proved for the case 
in which T contains at most one parbegin 
statement. If it contains more the prin- 
ciple is the same, although the details are 
more complicated. The proof is quite 
lengthy, and requires most of Section 6. 
An outline of the approach is given below. 

Step 1 : Give an algorithm for adding 
auxiliary variables to T, yielding a new 
program T*. Some of the auxiliary vari- 
ables are used to encode a program history 
using the natural numbers. Note that 
{P}T*{Q} is true for the interpreter. 

Step 2 : Define predicates pre(S) and 
post (S) for each statement S in T*, and 
I(r) for each resource r. These predicates 
depend on the appropriate proof -variables . 
Roughly, pre(S) is true for any values of 
variables in Proof-var (S) which could occur 
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when S is ready to execute. Post(S) and 
I(r) are defined similarly. Note that 
these are recursively enumerable predi- 
cates and so can be expressed by asser- 
tions, since the assertion language con- 
tains the natural numbers with the usual 
operations. 

Step 3 : For each statement S in S*, 
prove {pre (S) }S{post (S) } . 

Step 4 : From {pre (T*) }T* {post (T*) } de- 
rive iP}T*{Q}, using AO, P|— pre(T*), 
and post(T*) )~ D Q. 

Step 5 : Conclude {P}T{Q} from Step 4 
and A8. 

6.1 Step 1 : Auxiliary Variables 

Auxiliary variables are required only 
if T contains a parbegin statement of the 
form 

T Q : resource r^,...,!: : 

parbegin T^// . . . //T N parend 

In that case the auxiliary variables 
listed below must be added to T. 

1. initstate: records the values of 
all variables when execution of Tg 
begins. 

2. Ptime[l:N] and Rtime [ 1 :M] : "clock" 
variables which are used to establish 
the relative times at which events 
occurred in the execution of T Q . 

3 . Pcomp [1 :N] ,Rcomp [1 :M] ,comp [1 : N, 1 :M] : 
sequences which record the history of 
critical section execution. Pcompti] 
is a history for process T^ , Rcomptj] 
is a history for resource r , and 

comp[i,j] is a history of critical 
sections in process T. which involve 
resource r . . 

: 

Of course, it is assumed that none of 
these variables occur in the original 
program. If this is not the case, some 
variables must be renamed. 

The program T* required in the proof 
of {P}T{Q} is obtained as follows. 

1. If T contains no parbegin statement, 
T* = T. 

2. Otherwise, replace the single parbegin 
statement Tg by 

begin initstate := | | z^ | | . . . | | z^; 
(where {z^} = {variables of T} ) 

Ptime : =Rtime : =Pcomp : =Rcomp : = 
comp : =0 ; 

resource r ^ ( . . . Rtime [ 1 ]),... , 

r„ ( . . .Rtime [M] ) : 
M 

parbegin T. *// . . . //T * parend 



T^* is obtained by adding auxiliary 
variables to each critical section of T.. 
Let CS be a critical section for r ■ in 
T^ , and let the variables of r_j be 
yi , • • • ,y m - Let num(CS) be a natural 
number, with each critical section in T 
being assigned a distinct number. Then 
replace 

CS: with r_. when B do S, by 
CS: with r. when B do 

-, — • 

begin 

if Ptime [i] < Rtime [j ] 



then Ptime [i 




Rtime [ j ] +1 ; 


else Ptime [ i 




Ptime [i]+l; 


Pcomp[i] :=Pcomp 


[i] 


I |num(CS) | | 


Ptime [i] | \y 1 
Rcomp [ j ] : =Rcomp 


I- 

[j] 


■■iiv 

I |num(CS) | | 


Ptime [i] | \y 1 
comp[i,j] :-comp 


I- 
i, 


• •My ; 

j] | |num(CS) | | 


Ptime [i] | \y 1 

S*; 


I- 


-iiv 


Ptime [i] :=Ptime 


i ]+l; Rtime [j] :=Ptime[ 


Pcompti] :=Pcomp 


i] 


1 |num(CS) | | 


Ptime [i] | \y 1 
Rcomp [ j ] : =Rcomp 


I- 
j] 


| |num(CS) | | 


Ptime [i] | ^ 
corapfi, j] :=comp 


I- 
i, 


■■iiv 

j] | |num(CS) | | 


Ptime [i] | \y 1 


1- 


•■iiv 



end 



Thus the variable state before parallel 
execution begins is recorded in initstate, 
while the history of resource use during 
parallel execution is recorded in Pcomp 
and Rcomp. The final values of Pcompti] 
and Rcomp [j] are sequences of entries 
corresponding to the beginning and end of 
execution of critical sections. Each 
entry contains the identity of the critical 
section involved (its number) , the "time" 
at which it was started or finished, and 
the values of resource variables at that 
time. The time variables, Ptime [i] and 
Rtime [j], are updated in such a way that 
the times recorded in Pcompti] and Rcomp [j ] 
are strictly increasing. The use of these 
auxiliary variables in a proof of {P}T*{Q} 
will be explained in Step 3. For now, note 
that a large part of their usefulness stems 
from the fact that initstate, Pcompti], and 
comp[i,j] belong to Proof -var (T^) , while 
initstate, Rcomptj], and comp[i,j] belong 
to Proof -var (rj ) . 

The variables added in T* satisfy the 
definition of auxiliary variables, so 
{p}T{Q} can be proved by first proving 
{P)T*{Q} and then using A8 to remove the 
added statements. Note that {P}T*{Q} 
must be true for the interpreter, since T* 
has the same effect as T on the variables 
in P and Q. 
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Step 2 : Assertions pre(S), post(S), and 
I(r). 

We now define the assertions to be used 
in the proof of {p)T*{Q}. We first give 
the resource invariants, and then the pre 
and post conditions for each statement S 
in T*. The invariant for resource r must 
hold at any time in a computation when no 
critical section for r is in execution. 
The definition below specifies such an 
invariant, which is then interpreted in- 
formally. 

Definition: Let r . be a resource in T, 

3 

,y . The predicate 



with variables Y^/i^' 



I(r_.) (v) , defined on variable states of T*, 
holds iff the following conditions on 
Rcomp[j] and comp[i,j], 1 < i < N, are 
satisfied . 



1) v(Rcomp[j]) 
where 



l a 2n-l l|a 2n' 



a) a k = num(CS k ) | | t R | Ix^J 



1 < k < 2n, where CS, is the label 
— — k 

of a critical section for r . . 

: 

b) CS 2k _ 1 = CS 2k , 1 < k < n 

c) fc k < fc k + l 1 ± k < 2n 

d) x 2k+l,h = X 2k,h' 1 l k<n ' 1 l h l ln and 

x, , = value recorded for y. in 
1 ,n n 

initstate . 



e) v(y n ) = x 2njh 1 < h < m 



2) For 1 _< i <_ N, v(comp[i,j]) is the 
subsequence of v(Rcomp[j]) obtained 
by deleting all elements a^ of 
v(Rcomp[j]) where CSj^ does not belong 
to process T^. 

Informally, I(r..)(v) states that 

v(Rcomp[j]) is a history of the execution 
of critical sections for resource r.. It 

: 

consists of pairs of (n+2) tuples which 
record the order of critical section execu- 
tion and the time and values of variables 
in r . when the critical section was started 

: 

(a 2k-1 ) and finished (a 2k ) (la and b) . 

Time is strictly increasing in this history 

(lc) . The initial value of the variables 

in r . is recorded in initstate, and the 
3 

variables do not change value between the 
end of one critical section and the be- 
ginning of the next (Id). For all i, 
comp[i,j] contains a history for critical 

sections for r. in process T. (2) which 

: i 
agrees with Rcomp[j]. 



The predicate I(r_.)(v) is recursively 

enumerable, so it can be expressed as a 
first-order formula in the assertion lan- 
guage whose non-logical symbols are {<,=, 
+ /*» I I #0,1, . . . }. We will use I(r_.) to re- 
fer to both the predicate and the assertion 
which expresses it. Note that the asser- 
tion can be chosen to contain free only 
variables from Proof-var (r . ) , since 

3 

Rcomp[j] and comp[i,j] both belong to 
Proof -var (r_. ) . Thus I(r_.) can be used as 

a resource invariant in the proof of 
{P}T*{Q}. 

Next we define a set of pre and post 
conditions for the statements of T* , con- 
sidering first the case of a statement 
which does not belong to a parallel process 
in T*. 

Definition : Let S be a statement in T* 
which does not belong to a parallel pro- 
cess. The predicates pre(S)(v), post(S) 
(v) , defined on variable states of T* , are 
pre(S) (v) = 3. a computation C = (Cq,v q ) , 

...,(c n ,v n ) for T* such that P (v Q ) = 

true and v n = v and S is current after C. 

post(S) (v) = 3 a computation C = (Cq,Vq), 

. ..,(c n ,v n ) for T* such that P(v Q ) holds 

and v = v and C finishes S. 
n 

In other words,- pre (s) (v) is true iff 
it is possible to start T* with P true 
and reach S in variable state v. 
Post(S) (v) is true 'iff it is possible 
to start T* with P true and finish S in 
variable state v. As with I (r), the 
predicates pre(S) and post(S) are recur- 
sively enumerable and can be expressed 
by assertions; we will use pre(S) and 
post(S) to refer to both the predicates 
and the assertions. 

The definition of pre(S) and post(S) 
for a statement S belonging to a parallel 
process of T* is complicated by the fact 
that pre and post-conditions of S in a 
proof of {P}T*{Q} must depend only on 
variables in Proof-var (S) . We will ob- 
tain such a definition by using the con- 
cept of a process computation. 

Definition : Let 

Tq : resource r^,...,r M : 

parbegin L 1 -."S // . . par end 

be the single parbegin statement in T* . 
A process computation for process T. is a 

sequence PC = (c Q ,v Q ) , . . . , (c n # v n ) such that 

c. = {T.}, and for l<k<n, 3. S, such that 
0 l — — k 

(c k ,v k ) = 6 (S k , ( c k _i' v k _i) ) except 

that if S k is a critical section for some 

resource r., the variables of r. may take 

J 3 
on arbitrary values in v k so long as 
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B(v k ) 



true . 



This definition describes a computation 
from the viewpoint of a single process: 
parallel execution is like non-parallel 
execution except that the values of re- 
source variables may change unpredictably 
when they are not controlled by the pro- 
cess. 

Definition : Let S be a statement in pro- 
cess Tjl of the parbegin statement in T* . 
The predicates pre(S) (v) and post(S) (v) , 
defined on variable states of T*, are 



pre(S)(v) e 3 a process computation 

PC = (c. ,v. ),..., (c ,v ) for process 
0 0 n n 

T^ such that pre(T^) (v^) = true and 

v(x) = v (x) Vx 6 Proof -var (S) , and 
n 

S is current in c^. If S belongs to 
a critical section CS for r , let 

^ c k' V k' k e t * le ■*' ast state i- n Pc such 
that (c k ,v k ) = 6(CS, (c k _ 1 ,v k _ 1 ) ) . 



Then I(r.)(v.) = true. 
3 * 



post(S)(v) = 3 a process computation 

PC = (c. ,v.) , . . . , (c ,v ) for process 
0 0 n n 

such that pre(T Q ) (v Q ) = true and 

v(x) = v (x) V'x S Proof-var(S) and 
n 

PC finishes S. If S belongs to a 

critical section CS for resource r . , 

3 

let (Cfc'Vfc) be defined as before. 

Then I(r.)(v.) = true. 
D K 



In other words, pre(S) (v) is true 
iff it is possible to start T* with 
P true, reach the parbegin statement Tg 
in some state v 0 , then execute the pro- 
cess T^ independently until reaching a 
state where S is current and the vari- 
ables in Proof-var(S) have the values 
given in v. Moreover, if S belongs to a 
critical section for r j , I(r-j) was true 
when that critical section was started. 
Post(S)(v) has a similar interpretation. 
Once again, the predicates pre(S) and 
post(S) are recursively enumerable and 
can be expressed by assertions; pre(S) 
and post(S) will be used to denote the 
assertions as well as the predicates. 
The assertions can be chosen to contain 
free only variables from Proof-var(S) and 
thus can be used as pre and post-conditions 
of S in a proof of {P}T*{Q}. 

Step 3 : Proving {pre (S) }S {post (S) } . 

For each statement S in T* we prove 
{pre (S) }S{post (S) } , using induction on 
the structure of S. Some representative 
cases for S are given below. The only 



difficult case is the single parbegin 
statement . 

Case 1 : S is the assignment y:=E; 

1. {post(S)p y:=E {post(S)} Al 

2. {pre(S)}(- D post(S)^ Lemma 6.1 

3. {pre(S)} y:=E {post(S)} 1,2, AO 



Lemma 6.1 : We first show that 

Vv(pre(S)(v) => post (S) £ ( v) ) . 

Suppose S is not part of a parallel pro- 
cess in T*. Then 

pre(S)(v) = 3 a computation C = (c 0 ,v Q ), 

...,(c n ,v n ) such that P(Vg) = true 

and v = v and S is current after C. 
n 



=> 3 a computation 
C = (c 0 ,v 0 ) ,. . . , 

(c n ,v n ) , (c 1 ,V) 
where (c',v') = 6(S,(c n ,v n )) 
such that p (v Q ) = true and 
C finishes S. 

= > post (S) (v' ) 



= > post(S)£(v) 



If S belongs to a parallel process, the 
proof is the same except that it involves 
process computations rather than computa- 
tions . 

Now since 

Vv(pre(S)(v) => post(S)^ (v) ) , 

and since D is a complete proof system for 

the natural numbers, pre(S) f~ D post(S)^. 

Case 2: S is with r. when B do S ' 
-, — 

1. {pre (S 1 ) }S" {post (S ') } induction 



2. pre(S) A I(r.) A B (-pre(S') 

3 lemma 6 . 2 

3. post(S') f- post(S) A I(r.) 

lemma 6 . 3 

4. {pre(S) A I ( r . ) A B}S ' {post (S) AI(r.)} 

1,2, 3, AO 

5. {pre(S) }S{post(S) } 

4,A6 

Lemma 6.2 : Let v be a variable state with 
pre(S)(v) A I(r.)(v) A B (v) = true. 
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Let PC = (c Q ,v Q ) , . . . , (c n /V n ) be the pro- 
cess computation whose existence is implied 
by pre(S)(v). Let v" (x) = v (x) 
Vx £ r and v' (x) = v(x) Vx 6 r. Then 

PC = (c n ,v ),..., (c . ,v ,),(c ,V"), 
0 0 n-1 n-± n 

(c',v'), where (c\v') = 6 (S , (c n# V ) ) , 
is the process computation whose existence 
is required for pre(S')(v'). Since 
v(x) = v" (x) V x 6 Proof-var (S 1 ) / this 
yields pre(S') (v) . Thus 

Vv(pre(S) (v) AB(v) AI(r) (v)=>pre(S') (v) ) , 
so pre(S) ABA I(r) | — pre(S'). 

Lemma 6.3 : Let v be a variable state 
with post(S')(v) = true, and let 

PC = (C 0'V (c n' V n } 

be the process computation whose 
existence is implied by post(S')(v). 

Now since PC finishes S', it also 
finishes S, yielding post(S)(v). To 
see that I(r^) (v) = true, note that 

post(S')(v) => I(rj)(v^), where v^_ is the 

variable state of PC upon starting S. 

Now executing S' preserves I(r_.) (check 

the definition of T*) , yielding I(r_.)(v n ). 

Since v(x) = v n <x)V* 6 Proof -var (S ') , 

and Proof-var (r..) c: Proof-var (S 1 ) , this 

implies I(r_.)(v). Thus 

post(S')(- D Post(S) Al( rj ). 

Case 3 : S is 

Tq : resource r^ , r 2 , . . . / r M : 

parbegin L-^T.^//. . .//L N :T N parend . 

1. {pre(T i ) }T i (post(T i ) } , l<i<N 

induction 

2. {pre(T 1 )A...Apre(T N )AI(r 1 )A...AI(r M ) } S 

{postfT^ A. . . Apost(T N ) AI( r;L ) A. . . A(r M ) } 

1,A7 

3. pre(S) |— pre (T^) A. . . Apre (T^j) 



AI (r^) A. . .AI(r M ) 



4. post(T 1 )A...Apost(T N )AI(r 1 ) 

A. . .Kr M ) |- post(S) 

5. {pre(S) }s{post(S) } 



lemma 6.4 

lemma 6.5 
2, 3,4, AO 



Lemma 6.4 : pre(T Q )(v) => prefT^Hv) 

immediately from the definitions. 

pre(Tg)(v) => I(r_.)(v) because the 

initialization performed in T* before 

starting S guarantees that the auxiliary 

variables used in I(r_.) have the value 

zero in v, and the variables belonging to 

r . have the value in v which is recorded 
3 

in v (initstate) . Thus I(r_.)(v) = true. 



Lemma 6.5 : This is the most difficult 
case in the completeness proof. In order 
to show that 

posUT^ (v) A. . . A post (T N ) (v) AI( r;L )(v) 
A. . .A I(r M ) (v) \~ post(T 0 ) (v) , 

we must derive a computation for T* which 
finishes Tq in state v; this will be done 
by merging the process computations for 
T^, l<_i<N, whose existence is implied by 
post (T^)~. This merger will preserve the 
ordering of statements by "time" which 
can be inferred from the times stored in 
v(Pcomp[i]). The proof that such a merger 
is possible is quite complicated, and it is 
given in the appendix. Here we argue very 
informally that it is possible because the 
auxiliary variables guarantee that the 
independent process computations PC 1 are 
in some sense compatible. 
N 

First, A post(T.)(v) implies that all 
i=l 1 

the processes started T^ with the same 

initial state: the one recorded in 
v(initstate) . Post(Ti)(v) also implies 
that v(Pcomp[i]) is a history of critical 
section execution in Tj_ , and that for 
l£j<M, v(Pcomp [i] ) gives the same history 
as v(comp[i,j]) for critical sections for 
resource r j . Now I(r_.)(v) implies that 

v(Rcomp[j]) gives the same history as 
v(comp [i, j] ) for critical sections in 
process T^. Thus v(Pcomp[i]) and 

v(Rcomp[j]) give the same history for the 
critical sections they have in common, 
namely those for resource r.. in process 

T^. Thus all processes manipulate re- 
source r.. in the way recorded in 
v(Rcomp [j ] ) , and by I(r_.)(v), v(Rcomp[j]) 

describes a legitimate resource history. 
Since the parallel processes interact con- 
sistently with each resource, and their 
only interaction is through the resources, 
the independent process computations are 
compatible and can be merged. 

Step 4 : Proving {P}T*{Q}. 

1. {pre (T*) }T*{post(T*) } step 3 
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2. P f— pre (T*) lemma 6.6 

3. post (T*) f— Q lemma 6.7 

4. {P}T*{Q} 1,2, 3, AO 

Lemma 6.6 :Vv(P(v) => pre(T*)(v)) using 
the computation C = ({t*},v) to satisfy 
the definition of pre (T* ) ( v) . Thus 
P |- D pre(T*) . 

Lemma 6.7 : vV , post(T*)(v) = 3 a computa- 
tion C = (c n ,v n ) , . . . , (c ,v ) such that 
0 0 n n 

P(v.) holds and v = v and C finishes T*. 
o n 

But then Q(v) holds, since {P}T*{Q} is 
true for the interpreter. So 
post(T*) |- D Q. 

Step 5 : Proving {P}T{Q}. 

1. {P)T*{Q} step 4 

2. {P)T{Q} 1,A8 
End of Theorem 6.1. 

6.2 Corollary (Relative completeness): 

Let T be a program with an enumerable 
data domain and recursive data operations 
If {p}T{Q} is true for the interpreter, 
it can be proved using A0-A8 and a proof 
system D which is complete for both the 
data types of T and the natural numbers. 

Proof : Let e be an enumeration of the 
data domain of T. Add auxiliary vari- 
ables as before, except to update the 
history variable x (x = Pcomp[i], 
Rcompfj], or comp[i,j]) use 

x:= x| |Ptime[i] | lefx^ | | . . . | |e(x m ) ; 

This use of the enumeration function e 
is required because concatenation is 
defined on natural numbers. The re- 
mainder of the proof proceeds exactly 
as before. 

This completeness result is similar 
to Cook's result for sequential lan- 
guages, but there are some significant 
differences. First, Cook did not 
specify the languages to be used for 
assertions and for expressions in the 
programming language, requiring only 
that the assertion language be ex- 
pressive, i.e. powerful enough to ex- 
press the required assertions. This 
paper has tied both languages to the 
natural numbers, because they provide a 
convenient way of encoding program 
histories for auxiliary variables. A 
second difference is in the method of 
proving the completeness theorem. With 
sequential programs, it is possible to 
derive the predicate post(S) from S and 
pre(S), independent of the remainder of 
program T*; for parallel programs 
post(S) may depend on all of- T* . A 



final difference is in the use of auxiliary 
variables, which are not required in se- 
quential programs. The need for auxiliary 
variables can be avoided by attaching 
assertions to global program control points 
(see [1], [2]) rather than to control 
points in each process as was done here. 
In this approach, however, the number of 
assertions can grow exponentially with 
program size. Keller [13] and Lamport 
[14] avoid the need for auxiliary vari- 
ables by allowing assertions to include 
special variables which are essentially 
program counters for the parallel pro- 
cesses. These techniques, however, lack 
an attractive feature of the deductive 
approach — that the reasoning required 
for program verification closely resembles 
and may even guide the reasoning required 
in program creation. 
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Appendix : Proof of Lemma 6.5 

We must show that 
post(T 1 )(v) A. . . A post(T N ) (v) AKr^Mv) 

A. . .A i(r M ) (v) 
=> post(T Q ) (v) 
where T- is the parbegin statement in T* 



There are certain facts about the vari- 
able state v which can be deduced from 
posMT^) (v) A I(r..) (v) = true. 



1) post (T i ) (v) => 3 PC 



3) 



(c 0 ,v Q ) ,. 



(c n(i)' V n(i) } SUch that P"(T Q )(vJ) = 

true and PC 1 finishes T. and v 1 , . . (x) 

i n(i) 

= v(x) V x e Proof-var (T^) . 



2) v(Pcomp[i]) = v n (i) (Pcomp [i] ) , since 
Pcomp[i] 6 Proof-var (T i ) . Since 
v(Pcomp[i]) is the result of a process 
computation for T^, it must have the 
following form. 



v (Pcomp [ i] ) 
where 



b k = num(CS k ) I |t k | 



lb \ 
1 n 



f k,l> 



Here CS, is a critical section in 
k 

process T. for some resource r. 

i 3 
with m variables. 



fc k K fc k + l 



1 < k < n 



In PC , critical sections are 
started and finished in the order 
given by v(Pcomp[i]), and at 
start and finish the resource 
variables have the values recorded 
in the corresponding elements of 



k,l' 



k,m 



v (Pcomp [i]) gives the same history as 
v(comp[i,j]) for critical sections for 
resource r.. in process T^. More pre- 
cisely, comp[i,j] is the subsequence 
of v (Pcomp[i]) consisting of b k ' s whose 

CS, is a critical section for r.. This 

k 3 
must be true since both v(Pcomp[i]) and 

v (comp [i ,j ] ) are the result of a process 
computation for T. . 



4) v(Rcomp[j]) gives the same history as 
v (Pcomp [i]) for critical sections on 
resource r. in process T.. This follows 
from 3 above and from part 2 of I(r_.) (v) . 
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From the N process computations PC 1 , 

there are N sequences of statements 

D 1 = S 1 , . . . /S 1 , . . , l<i<N such that in 
1 n ( 1) 

PC 1 , (c^v 1 ) = MS 1 / (c 1 _ 1 ,v 1 _ 1 )) . We 

want to merge the D 1 to obtain a single 
sequence of statements D which determine 
a computation for Tq . This will be done 
by merging the statements according to 
the "time" at which they were executed. 



Definition: Let S, be a statement in the 
sequence D 1 . If starts or finishes a 
critical section in PC 1 , let b 1 = 
(num(CS k ) | |t k | |* kfl l | ... I l x k>m ) be the 
corresponding element of v(Pcomp[i]); 
then time (S 1 ) = t^. For all other S 1 , 
timejS 1 ) = 0 and timers 1 ) = timefS 1 ^). 



Note that time(S k ) is non-decreasing 
with increasing k, from 2b+c above. Now 
the statement sequences D 1 , l£i£N, can be 
merged to yield a single sequence 
D = S^jSji.-.fS in a way that preserves 
the time ordering, i.e. if S 1 precedes 
in D, timefS 1 ) _< time(S^) . Then 2c and 4 
above imply 

5) the statements in D start and finish 
critical • sections for resource r. 
in the order given by v (Rcomp [ j ] ) . 

Now the computation C for T^ is de- 
fined as follows. From post (T, ) (v) , 

1 1 
Vg satisfies pre(T^) (v^) . This means 

that there is a computation C = (Cq,Vq), 

. . . , (c ,v ) for T* with P(v.) = true 
m m^ 0 

and v = v. and T. current after C. Let 
m 0 0 

C = (c 0 ,v 0 ),...,(c m ,v m ),(c m+1 ,v m+1 ),..., 

^m+n+l^m+n+l*' where 

(c ,v ),..., (c,v) come from C 
0 0 mm 

^m+l'W = ^V^m'V* 

^m+k+l'Vfk+l' = 6(S k' ( Vk'Vk" 



1 < k < n. 



If we can show that C defined in this way 
is really a computation (i.e. 
6 * S k' * c m+k' v m+k^ ls defined for l<k<.n) , 
and that C's final state is v, then 
post(T Q ) (v) will be established. This is 

proved using induction. 

Induction hypothesis : Consider 

(c ,. ,,,v ,, ,,) 0<k<n. Let S 1 be the 
v m+k+1 m+k+1 h 

last statement from process i executed in 

reaching (c m+k+1 , v m+k+1 ) in C. Then 

a) (c m + k + l' V m + k + l ) = S(S k' ( W% + k" 
is defined, l<k<n. 



b) c" c 

c m+k+l' f -e- the statement 

current in PC 1 after S 1 is current 

h 

in C after S. . 

k 

c) v^x) = v m+k+1 (x) V x e Proof-var (S 1 ) 



d) If no critical section on r. is in 

3 

execution in (Vfk+l^m+k+l 5 ' let p 
be the number of critical sections on 

which have been executed in C be- 
fore S k . If p = 0, the values of the 

variables of r in v , , ,, are the 
m+k+1 

values recorded in initstate. If p>0, 
they are the values recorded in 
Rcomptj], i.e. *2p,l' * 1 1 ' x 2p,ir,- 

Base step : For k = 0, a) does not apply. 

b) holds because c 1 = {T^} and 

c m+1 = {T 1# T 2 , . . . ,T }. c)+d) hold because 

Vq(x) = value recorded in v ( initstate) . 



Induction step : If is not a critical 

section statement, a)-d) follow from the 

induction hypothesis, since executing S k 

has the same effect in C as in PC . If 

S, is the critical section with r. when B 
k • j 

do S, a) holds if no critical section on 

r. is in execution in c ., and if B (v ,, ) 
. j m+k m+k 

true. The first condition is satisfied 
because C starts and finishes critical 
sections for r_. in the order given by 
v (Rcomp [ j] ) (5 above), and in v(Rcomp[j]) 
a critical section is not started before 
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the last was finished (by I(r_.)(v)). 

For the second condition, suppose S comes 

i 

from process T . . Than B (v, ) = true from 
1 . n 

the fact that PC 1 is a process computation. 

Now v?"(x) = v ,, (x) V x e Proof-var(S, ) ^r 
n m+K+1 k 

(by c of the induction hypothesis) . For 
x e r, 

v m+ j,(x) = value recorded in Rcomp[j] or 
initstate (induction-d) 

= value recorded in Pcomp[i] 
(4 above) 

= v^(x) (2c above) 

n 

So v (x) = vNx) Vx 6 Proof-var (S.) . 
m+K h 

Then B(v ,, ) = true, and a) is satisfied. 
m+K 

b)-d) follow from the fact that executing 

S K has the same effect in C as in PC 1 . 

To finish the proof of the lemma we 

must show that v = v , , , . Now 

n+n+1 

v m+n+l (x) = v n(i) (x) = v(x) 
Vx e Proof-var (T^) , from induction hy- 
pothesis c and 1 above. From induction 
hypothesis d and Ifr^Mv), v m+n+1 ( x ) = 

last value in Rcomp[j] = v(x) Vx 6 r . 

Since every variable in T* belongs to 

either a process or a resource, 

v . , n = v. 
n+m+1 

This finishes the proof of lemma 6.5. 
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